Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-2276 | 1 Wp Edit Menu Project | 1 Wp Edit Menu | 2022-08-24 | N/A | 4.3 MEDIUM |
| The WP Edit Menu WordPress plugin before 1.5.0 does not have authorisation and CSRF in an AJAX action, which could allow unauthenticated attackers to delete arbitrary posts/pages from the blog | |||||
| CVE-2022-2275 | 1 Wp Edit Menu Project | 1 Wp Edit Menu | 2022-08-24 | N/A | 4.3 MEDIUM |
| The WP Edit Menu WordPress plugin before 1.5.0 does not have CSRF in an AJAX action, which could allow attackers to make a logged in admin delete arbitrary posts/pages from the blog via a CSRF attack | |||||
| CVE-2022-2198 | 1 2code | 1 Wpqa Builder | 2022-08-24 | N/A | 4.3 MEDIUM |
| The WPQA Builder WordPress plugin before 5.7 which is a companion plugin to the Hilmer and Discy , does not check authorization before displaying private messages, allowing any logged in user to read other users private message using the message id, which can easily be brute forced. | |||||
| CVE-2022-35203 | 1 Trendnet | 2 Tv-ip572pi, Tv-ip572pi Firmware | 2022-08-24 | N/A | 7.2 HIGH |
| An access control issue in TrendNet TV-IP572PI v1.0 allows unauthenticated attackers to access sensitive system information. | |||||
| CVE-2022-2172 | 1 Linkworth | 1 Linkworth | 2022-08-24 | N/A | 4.3 MEDIUM |
| The LinkWorth WordPress plugin before 3.3.4 does not implement nonce checks, which could allow attackers to make a logged in admin change settings via a CSRF attack. | |||||
| CVE-2022-25812 | 1 Transposh | 1 Transposh Wordpress Translation | 2022-08-24 | N/A | 7.2 HIGH |
| The Transposh WordPress Translation WordPress plugin before 1.0.8 does not validate its debug settings, which could allow allowing high privilege users such as admin to perform RCE | |||||
| CVE-2022-25811 | 1 Transposh | 1 Transposh Wordpress Translation | 2022-08-24 | N/A | 7.2 HIGH |
| The Transposh WordPress Translation WordPress plugin through 1.0.8 does not sanitise and escape the order and orderby parameters before using them in a SQL statement, leading to a SQL injection | |||||
| CVE-2022-1932 | 1 Rezgo | 1 Rezgo Online Booking | 2022-08-24 | N/A | 6.1 MEDIUM |
| The Rezgo Online Booking WordPress plugin before 4.1.8 does not sanitise and escape some parameters before outputting them back in a page, leading to a Reflected Cross-Site Scripting, which can be exploited either via a LFI in an AJAX action, or direct call to the affected file | |||||
| CVE-2021-3764 | 1 Linux | 1 Linux Kernel | 2022-08-24 | N/A | 5.5 MEDIUM |
| A memory leak flaw was found in the Linux kernel's ccp_run_aes_gcm_cmd() function that allows an attacker to cause a denial of service. The vulnerability is similar to the older CVE-2019-18808. The highest threat from this vulnerability is to system availability. | |||||
| CVE-2021-3736 | 1 Linux | 1 Linux Kernel | 2022-08-24 | N/A | 5.5 MEDIUM |
| A flaw was found in the Linux kernel. A memory leak problem was found in mbochs_ioctl in samples/vfio-mdev/mbochs.c in Virtual Function I/O (VFIO) Mediated devices. This flaw could allow a local attacker to leak internal kernel information. | |||||
| CVE-2022-36261 | 1 Taogogo | 1 Taocms | 2022-08-24 | N/A | 9.1 CRITICAL |
| An arbitrary file deletion vulnerability was discovered in taocms 3.0.2, that allows attacker to delete file in server when request url admin.php?action=file&ctrl=del&path=/../../../test.txt | |||||
| CVE-2021-42627 | 2 D-link, Dlink | 8 Dir-615, Dir-615 Firmware, Dir-615 J1 and 5 more | 2022-08-24 | N/A | 9.8 CRITICAL |
| The WAN configuration page "wan.htm" on D-Link DIR-615 devices with firmware 20.06 can be accessed directly without authentication which can lead to disclose the information about WAN settings and also leverage attacker to modify the data fields of page. | |||||
| CVE-2022-37223 | 1 Jflyfox | 1 Jfinal Cms | 2022-08-24 | N/A | 9.8 CRITICAL |
| JFinal CMS 5.1.0 is vulnerable to SQL Injection via /jfinal_cms/system/role/list. | |||||
| CVE-2022-37199 | 1 Jflyfox | 1 Jfinal Cms | 2022-08-24 | N/A | 9.8 CRITICAL |
| JFinal CMS 5.1.0 is vulnerable to SQL Injection via /jfinal_cms/system/user/list. | |||||
| CVE-2022-30690 | 1 Wwbn | 1 Avideo | 2022-08-24 | N/A | 6.1 MEDIUM |
| A cross-site scripting (xss) vulnerability exists in the image403 functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability. | |||||
| CVE-2021-3481 | 1 Qt | 1 Qt | 2022-08-24 | N/A | 7.1 HIGH |
| A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability. | |||||
| CVE-2021-24912 | 1 Transposh | 1 Transposh Wordpress Translation | 2022-08-24 | N/A | 5.4 MEDIUM |
| The Transposh WordPress Translation WordPress plugin before 1.0.8 does not have CSRF check in its tp_translation AJAX action, which could allow attackers to make authorised users add a translation. Given the lack of sanitisation in the tk0 parameter, this could lead to a Stored Cross-Site Scripting issue which will be executed in the context of a logged in admin | |||||
| CVE-2021-24911 | 1 Transposh | 1 Transposh Wordpress Translation | 2022-08-24 | N/A | 5.4 MEDIUM |
| The Transposh WordPress Translation WordPress plugin before 1.0.8 does not sanitise and escape the tk0 parameter from the tp_translation AJAX action, leading to Stored Cross-Site Scripting, which will trigger in the admin dashboard of the plugin. The minimum role needed to perform such attack depends on the plugin "Who can translate ?" setting. | |||||
| CVE-2022-36009 | 1 Matrix | 2 Dendrite, Gomatrixserverlib | 2022-08-24 | N/A | 8.8 HIGH |
| gomatrixserverlib is a Go library for matrix protocol federation. Dendrite is a Matrix homeserver written in Go, an alternative to Synapse. The power level parsing within gomatrixserverlib was failing to parse the `"events_default"` key of the `m.room.power_levels` event, defaulting the event default power level to zero in all cases. Power levels are the matrix terminology for user access level. In rooms where the `"events_default"` power level had been changed, this could result in events either being incorrectly authorised or rejected by Dendrite servers. gomatrixserverlib contains a fix as of commit `723fd49` and Dendrite 0.9.3 has been updated accordingly. Matrix rooms where the `"events_default"` power level has not been changed from the default of zero are not vulnerable. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2021-25356 | 1 Google | 1 Android | 2022-08-24 | 7.2 HIGH | 8.8 HIGH |
| An improper caller check vulnerability in Managed Provisioning prior to SMR APR-2021 Release 1 allows unprivileged application to install arbitrary application, grant device admin permission and then delete several installed application. | |||||